==Phrack Inc.==
Volume Three, Issue Thirty-Three, File 12 of 13
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue XXXIII / Part Two PWN
PWN PWN
PWN Compiled by Dispater PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Legion of Doom Goes Corporate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is a compilation of several articles from by Michael
Alexander of ComputerWorld Magazine about Comsec Data Security, Inc.
Comsec Data Security, Inc.
Chris Goggans a/k/a Erik Bloodaxe 60 Braeswood Square
Scott Chasin a/k/a Doc Holiday Houston, Texas 77096
Kenyon Shulman a/k/a Malefactor (713)721-6500
Robert Cupps - Not a former computer hacker (713)721-6579 FAX
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hackers Promote Better Image (Page 124) June 24, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HOUSTON -- Three self-professed members of the Legion of Doom, one of the
most notorious computer hacker groups to operate in the United States, said
they now want to get paid for their skills. Along with a former securities
trader, the members launched a computer security firm called Comsec Data
Security that will show corporations how to keep hackers out.
"We have been in the computer security business for the last 11 years --
just on the different end of the stick," said Scott Chasin who said he once
used the handle Doc Holiday as a Legion of Doom member. The group has been
defunct since late last year, Chasin said.
The start-up firm plans to offer systems penetration testing, auditing,
and training services as well as security products. "We have information that
you can't buy in bookstores: We know why hackers hack, what motivates them,
why they are curious," Chasin said.
Already, the start-up has met with considerable skepticism.
"Would I hire a safecracker to be a security guy at my bank?" asked John
Blackley, information security administrator at Capitol Holding Corporation in
Louisville, Kentucky. "If they stayed straight for 5 to 10 years, I might
reconsider, but 12 to 18 months ago, they were hackers, and now they have to
prove themselves."
"You don't hire ne'er-do-wells to come and look at your system," said Tom
Peletier, an information security specialist at General Motors Corporation.
"The Legion of Doom is a known anti-establishment group, and although it is
good to see they have a capitalist bent, GM would not hire these people."
Comsec already has three contracts with Fortune 500 firms, Chasin said.
"I like their approach, and I am assuming they are legit," said Norman
Sutton, a security consultant at Leemah Datacom Corporation in Hayward,
California. His firm is close to signing a distribution pact with Comsec,
Sutton said.
Federal law enforcers have described the Legion of Doom in indictments,
search warrants, and other documents as a closely knit group of about 15
computer hackers whose members rerouted calls, stole and altered data and
disrupted telephone service by entering telephone switches, among other
activities.
The group was founded in 1984 and has had dozens of members pass through
its ranks. Approximately 12 former members have been arrested for computer
hacking-related crimes; three former members are now serving jail sentences;
and at least three others are under investigation. None of the Comsec founders
have been charged with a computer-related crime.
(Article includes a color photograph of all four founding members of Comsec)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An Offer You Could Refuse? (Page 82) July 1, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tom Peletier, an information security specialist at General Motors in
Detroit, says he would never hire Comsec Data Security, a security consulting
firm launched by three ex-members of the Legion of Doom. "You don't bring in
an unknown commodity and give them the keys to the kingdom," Peletier said.
Chris Goggans, one of Comsec's founders, retorted: "We don't have the keys to
their kingdom, but I know at least four people off the top of my head that do."
Comsec said it will do a free system penetration for GM just to prove the
security firm's sincerity, Goggans said. "All they have to do is sign a
release form saying they won't prosecute."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Group Dupes Security Experts (Page 16) July 29, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Houston-Based Comsec Fools Consultants To Gather Security Information"
HOUSTON -- Computer security consultants are supposed to know better, but
at least six experts acknowledged last week that they were conned. The
consultants said they were the victims of a bit of social engineering by Comsec
Data Security, Inc., a security consulting firm recently launched.
Comsec masqueraded as a prospective customer using the name of Landmark
Graphics Corporation, a large Houston-area software publisher, to gather
information on how to prepare business proposals and conduct security audits
and other security industry business techniques, the consultants said.
Three of Comsec's four founders are self-professed former members of the
Legion of Doom, one of the nation's most notorious hacker groups, according to
law enforcers.
"In their press release, they say, 'Our firm has taken a unique approach
to its sales strategy,'" said one consultant who requested anonymity, citing
professional embarrassment. "Well, social engineering is certainly a unique
sales strategy."
Social engineering is a technique commonly used by hackers to gather
information from helpful, but unsuspecting employees that may be used to
penetrate a computer system.
"They are young kids that don't know their thumbs from third base about
doing business, and they are trying to glean that from everybody else," said
Randy March, director of consulting at Computer Security Consultants, Inc., in
Ridgefield, Connecticut.
The consultants said gathering information by posing as a prospective
customer is a common ploy, but that Comsec violated accepted business ethics by
posing as an actual company.
"It is a pretty significant breech of business ethics to make the
misrepresentation that they did," said Hardie Morgan, chief financial officer
at Landmark Graphics. "They may not be hacking anymore, but they haven't
changed the way they operate."
Morgan said his firm had received seven or eight calls from security
consultants who were following up on information they had sent to "Karl
Stevens," supposedly a company vice president.
SAME OLD STORY
The consultants all told Morgan the same tale: They had been contacted by
"Stevens," who said he was preparing to conduct a security audit and needed
information to sell the idea to upper management. "Stevens" had asked the
consultants to prepare a detailed proposal outlining the steps of a security
audit, pricing and other information.
The consultants had then been instructed to send the information by
overnight mail to a Houston address that later proved to be the home of two of
Comsec's founders. In some instances, the caller had left a telephone number
that when called was found to be a constantly busy telephone company test
number.
Morgan said "Stevens" had an intimate knowledge of the company's computer
systems that is known only to a handful of employees. While there is no
evidence that the company's systems were penetrated by outsiders, Landmark is
"battering down its security hatches," Morgan said.
Posing as a prospective customer is not an uncommon way to gather
competitive information, said Chris Goggans, one of Comsec's founders, who once
used the handle of Erik Bloodaxe.
"Had we not been who we are, it would be a matter of no consequence,"
Goggans said.
"They confirm definitely that they called some of their competitors," said
Michael Cash, an attorney representing Comsec. "The fact they used Landmark
Graphics was an error on their part, but it was the first name that popped into
their heads. They did not infiltrate Landmark Graphics in any way."
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"LEGION OF DOOM--INTERNET WORLD TOUR" T-SHIRTS!
Now you too can own an official Legion of Doom T-shirt. This is the same
shirt that sold-out rapidly at the "Cyberview" hackers conference in St. Louis.
Join the other proud owners such as award-winning author Bruce Sterling by
adding this collector's item to your wardrobe. This professionally made, 100
percent cotton shirt is printed on both front and back. The front displays
"Legion of Doom Internet World Tour" as well as a sword and telephone
intersecting the planet earth, skull-and-crossbones style. The back displays
the words "Hacking for Jesus" as well as a substantial list of "tour-stops"
(internet sites) and a quote from Aleister Crowley. This T-shirt is sold only
as a novelty item, and is in no way attempting to glorify computer crime.
Shirts are only $15.00, postage included! Overseas add an additional $5.00.
Send check or money-order (No CODs, cash or credit cards--even if it's really
your card :-) made payable to Chris Goggans to:
Chris Goggans
5300 N. Braeswood #4
Suite 181
Houston, TX 77096
_______________________________________________________________________________
Steve Jackson Games v. United States of America
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Articles reprinted from Effector Online 1.04 and 1.08
May 1, 1991 / August 24, 1991
"Extending the Constitution to American Cyberspace"
To establish constitutional protection for electronic media and to obtain
redress for an unlawful search, seizure, and prior restraint on publication,
Steve Jackson Games and the Electronic Frontier Foundation filed a civil suit
against the United States Secret Service and others.
On March 1, 1990, the United States Secret Service nearly destroyed Steve
Jackson Games (SJG), an award-winning publishing business in Austin, Texas.
In an early morning raid with an unlawful and unconstitutional warrant,
agents of the Secret Service conducted a search of the SJG office. When they
left they took a manuscript being prepared for publication, private electronic
mail, and several computers, including the hardware and software of the SJG
Computer Bulletin Board System. Yet Jackson and his business were not only
innocent of any crime, but never suspects in the first place. The raid had
"been staged on the unfounded suspicion that somewhere in Jackson's office
there "might be" a document compromising the security of the 911 telephone
system.
In the months that followed, Jackson saw the business he had built up over
many years dragged to the edge of bankruptcy. SJG was a successful and
prestigious publisher of books and other materials used in adventure
role-playing games. Jackson also operated a computer bulletin board system
(BBS) to communicate with his customers and writers and obtain feedback and
suggestions on new gaming ideas. The bulletin board was also the repository of
private electronic mail belonging to several of its users. This private mail
was seized in the raid. Despite repeated requests for the return of his
manuscripts and equipment, the Secret Service has refused to comply fully.
More than a year after that raid, the Electronic Frontier Foundation,
acting with SJG owner Steve Jackson, has filed a precedent setting civil suit
against the United States Secret Service, Secret Service Agents Timothy Foley
and Barbara Golden, Assistant United States Attorney William Cook, and Henry
Kluepfel.
"This is the most important case brought to date," said EFF general
counsel Mike Godwin, "to vindicate the Constitutional rights of the users of
computer-based communications technology. It will establish the Constitutional
dimension of electronic expression. It also will be one of the first cases
that invokes the Electronic Communications Privacy Act as a shield and not as a
sword -- an act that guarantees users of this digital medium the same privacy
protections enjoyed by those who use the telephone and the U.S. Mail."
Commenting on the overall role of the Electronic Frontier Foundation in
this case and other matters, EFF's president Mitch Kapor said, "We have been
acting as an organization interested in defending the wrongly accused. But the
Electronic Frontier Foundation is also going to be active in establishing
broader principles. We begin with this case, where the issues are clear. But
behind this specific action, the EFF also believes that it is vital that
government, private entities, and individuals who have violated the
Constitutional rights of individuals be held accountable for their actions. We
also hope this case will help demystify the world of computer users to the
general public and inform them about the potential of computer communities."
Representing Steve Jackson and the Electronic Frontier Foundation in this
suit are Harvey A. Silverglate and Sharon L. Beckman of Silverglate & Good of
Boston; Eric Lieberman and Nick Poser of Rabinowitz, Boudin, Standard, Krinsky
& Lieberman of New York; and James George, Jr. of Graves, Dougherty, Hearon &
Moody of Austin, Texas.
Copies of the complaint, the unlawful search warrant, statements by Steve
Jackson and the Electronic Frontier Foundation, a legal fact sheet and other
pertinent materials are available by request from the EFF.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Also made available to members of the press and electronic media on
request were the following statement by Mitchell Kapor and a legal fact sheet
prepared by Sharon Beckman and Harvey Silverglate of Silverglate & Good, the
law firm central to the filing of this lawsuit.
"Why the Electronic Frontier Foundation Is
Bringing Suit On Behalf of Steve Jackson"
With this case, the Electronic Frontier Foundation begins a new phase of
affirmative legal action. We intend to fight for broad Constitutional
protection for operators and users of computer bulletin boards.
It is essential to establish the principle that computer bulletin boards
and computer conferencing systems are entitled to the same First Amendment
rights enjoyed by other media. It is also critical to establish that operators
of bulletin boards -- whether individuals or businesses -- are not subject to
unconstitutional, overbroad searches and seizures of any of the contents of
their systems, including electronic mail.
The Electronic Frontier Foundation also believes that it is vital to hold
government, private entities, and individuals who have violated the
Constitutional rights of others accountable for their actions.
Mitchell Kapor,
President, The Electronic Frontier Foundation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Legal Fact Sheet: Steve Jackson Games v. United States Secret Service, et al"
This lawsuit seeks to vindicate the rights of a small, successful
entrepreneur/publisher to conduct its entirely lawful business, free of
unjustified governmental interference. It is also the goal of this litigation
to firmly establish the principle that lawful activities carried out with the
aid of computer technology, including computer communications and publishing,
are entitled to the same constitutional protections that have long been
accorded to the print medium. Computers and modems, no less than printing
presses, typewriters, the mail, and telephones -being the methods selected by
Americans to communicate with one another -- are all protected by our
constitutional rights.
Factual Background and Parties:
Steve Jackson, of Austin, Texas, is a successful small businessman. His
company, Steve Jackson Games, is an award- winning publisher of adventure games
and related books and magazines. In addition to its books and magazines, SJG
operates an electronic bulletin board system (the Illuminati BBS) for its
customers and for others interested in adventure games and related literary
genres.
Also named as plaintiffs are various users of the Illuminati BBS. The
professional interests of these users range from writing to computer
technology.
Although neither Jackson nor his company were suspected of any criminal
activity, the company was rendered a near fatal blow on March 1, 1990, when
agents of the United States Secret Service, aided by other law enforcement
officials, raided its office, seizing computer equipment necessary to the
operation of its publishing business. The government seized the Illuminati BBS
and all of the communications stored on it, including private electronic mail,
shutting down the BBS for over a month. The Secret Service also seized
publications protected by the First Amendment, including drafts of the
about-to-be-released role playing game book GURPS Cyberpunk. The publication
of the book was substantially delayed while SJG employees rewrote it from older
drafts. This fantasy game book, which one agent preposterously called "a
handbook for computer crime," has since sold over 16,000 copies and been
nominated for a prestigious game industry award. No evidence of criminal
activity was found.
The warrant application, which remained sealed at the government's request
for seven months, reveals that the agents were investigating an employee of the
company whom they believed to be engaged in activity they found questionable at
his home and on his own time. The warrant application further reveals not only
that the Secret Service had no reason to think any evidence of criminal
activity would be found at SJG, but also that the government omitted telling
the Magistrate who issued the warrant that SJG was a publisher and that the
contemplated raid would cause a prior restraint on constitutionally protected
speech, publication, and association.
The defendants in this case are the United States Secret Service and the
individuals who, by planning and carrying out this grossly illegal search and
seizure, abused the power conferred upon them by the federal government. Those
individuals include Assistant United States Attorney William J. Cook, Secret
Service Agents Timothy M. Foley and Barbara Golden, as well Henry M. Kluepfel
of Bellcore, who actively participated in the unlawful activities as an agent
of the federal government.
These defendants are the same individuals and entities responsible for the
prosecution last year of electronic publisher Craig Neidorf. The government in
that case charged that Neidorf's publication of materials concerning the
enhanced 911 system constituted interstate transportation of stolen property.
The prosecution was resolved in Neidorf's favor in July of 1990 when Neidorf
demonstrated that materials he published were generally available to the
public.
Legal Significance:
This case is about the constitutional and statutory rights of publishers
who conduct their activities in electronic media rather than in the traditional
print and hard copy media, as well as the rights of individuals and companies
that use computer technology to communicate as well as to conduct personal and
business affairs generally.
The government's wholly unjustified raid on SJG, and seizure of its books,
magazines, and BBS, violated clearly established statutory and constitutional
law, including:
o The Privacy Protection Act of 1980, which generally prohibits the
government from searching the offices of publishers for work product and
other documents, including materials that are electronically stored;
o The First Amendment to the U. S. Constitution, which guarantees freedom
of speech, of the press and of association, and which prohibits the
government from censoring publications, whether in printed or electronic
media.
o The Fourth Amendment, which prohibits unreasonable governmental searches
and seizures, including both general searches and searches conducted
without probable cause to believe that specific evidence of criminal
activity will be found at the location searched.
o The Electronic Communications Privacy Act and the Federal Wiretap
statute, which together prohibit the government from seizing electronic
communications without justification and proper authorization.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
STEVE JACKSON GAMES UPDATE:
THE GOVERNMENT FILES ITS RESPONSE
After several delays, the EFF has at last received the government's response to
the Steve Jackson Games lawsuit. Our attorneys are going over these documents
carefully and we'll have more detailed comment on them soon.
Sharon Beckman, of Silverglate and Good, one of the leading attorneys in the
case said:
"In general, this response contains no surprises for us. Indeed, it
confirms that events in this case transpired very much as we thought
that they did. We continue to have a very strong case. In addition,
it becomes clearer as we go forward that the Steve Jackson Games case
will be a watershed piece of litigation when it comes to extending
constitutional guarantees to this medium."
_______________________________________________________________________________
Feds Arrest "Logic Bomber" July 1, 1991
~~~~~~~~~~~~~~~~~~~~~~~~~~
by Michael Alexander (ComputerWorld)(Page 10)
SAN DIEGO -- Federal agents arrested a disgruntled programmer last week
for allegedly planting a logic bomb designed to wipe out programs and data
related to the U.S. government's billion-dollar Atlas Missile program.
According to law enforcers, the programmer hoped to be rehired by General
Dynamics Corporation, his former employer and builder of the missile as a
high-priced consultant to repair the damage.
Michael J. Lauffenburger, age 31, who is accused of planting the bomb, was
arrested after a co-worker accidentally discovered the destructive program on
April 10, 1991, disarmed it and alerted authorities. Lauffenburger had
allegedly programmed the logic bomb to go off at 6 p.m. on May 24, 1991 during
the Memorial Day holiday weekend and then self-destruct.
Lauffenburger is charged with unauthorized access of a federal-interest
computer and attempted computer fraud. If convicted, he could be imprisoned
for up to 10 years and fined $500,000. Lauffenburger pleaded innocent and was
released on $10,000 bail.
The indictment said that while Lauffenburger was employed at the General
Dynamics Space Systems Division plant in San Diego, he was the principle
architect of a database program known as SAS.DB and PTP, which was used to
track the availability and cost of parts used in building the Atlas missile.
On March 20, he created a program called Cleanup that, when executed,
would have deleted the PTP program, deleted another set of programs used to
respond to government requests for information, and then deleted itself without
a trace, according to Mitchell Dembin, the assistant U.S. attorney handling the
case.
_______________________________________________________________________________